The Privacy Commissioner Marie Shroff last week told us that public trust is being eroded by government sector breaches. She said government agencies have huge databases of information which the public is forced to provide, and in return they need to look after that information properly and that public sector agencies needed to have stronger controls in place when handling spread sheets of personal information.
Last year she warned us that the public sector can’t afford to be complacent. It’s quite clear that agencies holding large amounts of personal information need to place greater value on that information asset. They need to develop strong leadership and a culture of respect for privacy, as well as day to day policies and practices to provide trustworthy stewardship of our personal information at every level of the organisation. There has been far too little focus on the fact that there are real people behind the masses of information that government agencies hold.
Data breach notification isn’t currently required by law, but the Law Commission recently recommended that it should be made compulsory where breaches put people at risk. That would bring New Zealand law into line with practice overseas.
The private sector has warned repeatedly that New Zealand has a major problem with information security, and a strategy released late last year by a group of IT security professionals said that although technological innovation is high within the New Zealand market, the national spend on educating, training, and developing skilled technical personnel is surprisingly low, creating an imbalance and directly contributing to the fragility and vulnerability of our nation’s IT systems. If that is not a significant warning, I do not know what is.
Last week the chief executive officer of the Institute of IT Professionals, Paul Matthews, said that the Earthquake Commission had failed Security 101 and that it was mickey mouse stuff that such sensitive information could be sent so easily to an outside person.
We are daily finding out about more data breaches, which indicates that they are commonplace.
The solutions aren’t off the shelf, but the Government’s refusal to treat the breaches as systemic, requiring the highest attention is very concerning.
The reason for many breaches will no doubt lie in the way each department and agencies IT systems have grown. Privacy and security systems are unlikely to have been built into these systems from the very beginning. Many issues can be resolved through training people using the systems in simple procedures to protect data. IT solutions exists to provide password protected spreadsheets being sent out as attachments and sometimes to prevent email attachments fullstop.
An across government response is required with a Chief Technology Officer with clout responsible to the Prime Minister. Our approach to information security is 20th century and inexcusable. I fear the public service is ill resourced to deal with the ongoing breaches we have faced and will face.
Instead, we have a Prime Minister who shrugs his shoulders and dismisses the breaches as “inevitable, human error and a trade-off”. He may rue those remarks.
NB: have attempted to contact Threat Toons for copyright permission. But have repeatedly been blocked from accessing their site. Might be the title. Happy to continue trying